The Compliance Bone Connected to the Security Bone: Sharing Accountability in IT, Risk, and Compliance
Once upon a time, there was a compliance check-box mentality
Throughout my career within the compliance and security space, I’ve seen the practice of proactively managing digital risk move from a nice-to-have to a must-have for enterprise organizations. And over the last 5 years, things have shifted drastically. Personally, it reminds me of the classic “Dry Bones” nursery rhyme song that my son loves so much which points out how all the different bones are connected to make one body.
Compliance, Risk Management, Security, and IT are all bones connected to form the body of an organization—but we haven’t always treated them as such.
When GDPR blew up traditional GRC
Global regulations such as the General Data Protection Regulation (GDPR) with unprecedented penalties have acted as a catalyst for organizations to identify the types of data within their network and infrastructure in order to best manage and protect it.
As it became clear that regulations like GDPR were going to keep coming, organizations had to identify who was in charge of managing the operations to find this valuable data and ensure its security and compliance. In 2018, GDPR required the role of the Data Privacy Officer (DPO) to head up all things around data protection accountability. Yes, GDPR is a mammoth regulation, but enterprise leaders needed to know how its requirements align and overlap with other regulations such as HIPAA, PCI DSS, FedRAMP, etc., and how these regulations align with current security frameworks they may be leveraging, such as NIST, ISO, or even the growing Center for Internet Security (CIS) benchmark best practices. It was apparent to those of us in this space that the scope of traditional GRC had just exploded.
The role of the DPO didn’t widely exist yet in 2018 for many enterprise companies, so it became a driver for organizations to consider redefining who-owns-what within the scope of compliance. Enterprise organizations soon realized there was a lot of crossover between various business-problem owners, especially in the areas of IT, compliance, security, and risk management, e.g., “Dry Bones.”
Unraveling the growing compliance conundrum
Traditional GRC (Governance, Risk, and Compliance) departments often rolled up to the CISO (Chief Information Security Officer) – sometimes with a layer of the Risk Officer role in between – and from there the CISO often rolled up to the CIO (Chief Information Officer). The threat landscape was evolving at a rapid pace and soon the topic of security moved from a department challenge to a board room level discussion.
Unraveling of the silos – The evolving role of the CISO The role of the CISO had to evolve from focusing primarily on reactive cybersecurity strategies to enveloping the company goals of security, compliance, and risk management. Soon analysts such as Gartner outlined the idea of IRM (Integrated Risk Management) that included digital and cyber risk management.
The role of the CISO became accountable for ensuring more than just cybersecurity, but also for fostering a secure and compliant culture throughout the business. One of the ways a CISO can accomplish this goal is by partnering internally with IT Operations, risk, and compliance leaders to reduce work done in silos that could create vulnerabilities for the business.
In 2021, there has been an additional evolution of these roles and responsibilities. The beginning of the COVID-19 pandemic forced organizations to shift to a remote-first work culture seemingly overnight. IT Operation teams are challenged with constantly changing and competing priorities from the business and have to be agile to keep the business running smoothly.
But keeping it running securely and not drifting from compliance standards was quite another battle. The larger the infrastructure or hybrid infrastructure, the more complexities presented themselves. IT Operations and Information Security teams had to truly partner to focus on hardening security and enforcing continuous compliance across the IT Infrastructure. But how?
Fortunately, we wrote more about this in Foster a Culture of Joint Accountability for Security and Compliance Across an Organization to help you in your journey.
A new day – What does the future hold?
The past 18 months have been unprecedented, to say the least. Some organizations are choosing to keep their workforce remote, others are pulling people back into the office, while others are offering a hybrid model.
Prior to the pandemic, both IT and Security teams had been leveraging some form of automation to work smarter, not harder. But solving for security and compliance is not a one-person or single department’s job. Everyone needs to pull their weight, and the best way to do that is to partner cross-functionally within your organization with the common goal of hardening security and ensuring continuous compliance with both internal policies and external regulations and standards.
Savvy organizations understand that leveraging automation technology in both security and compliance efforts plays a crucial part in building the bridges that connect every bone in the organization’s body. Automation allows for transparency into how policies are encoded into infrastructure, and it is repeatable, reliable enforcement of those policies. Trusting that the desired state is being automatically enforced helps with productivity, yes, but it also allows IT and security teams to focus on novel threats and vulnerability remediation.
Needless to say, IT, Security, Risk, and Compliance owners will have to stay on their toes. Our new ebook can guide you through breaking down silos and achieving your goals.